245628 2022-09-24 12:31:27 -0700 [JSC] Mark Intl.DurationFormat structure 2022-09-24 23:07:12 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mikhail ysuzuki bfulgham webkit-bug-importer ysuzuki oldest_to_newest 1900919 0 462586 mikhail 2022-09-24 12:31:27 -0700 Created attachment 462586 Testcase Tested on linux intel 64 and ARMv7. The regression seems to have been introduced by commit 0a1408274330aa1999490790cee7d2b9b3b8ac2b. Running the attached test case fails with the following message: $ ./WebKitBuild/Debug/bin/jsc bar.js ASSERTION FAILED: decontaminate() /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h(130) : JSC::Structure *JSC::StructureID::decode() const Aborted (core dumped) The backtrace: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754 #6 0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130 #7 0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137 #8 0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121 #9 0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894 #10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39 #11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374 #12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202 #13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74 #14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63 #15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90 #16 0x00007fffa71ac0c7 in ?? () #17 0x00007fffffffcae0 in ?? () #18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #19 0x0000000000000000 in ?? () (gdb) #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737246848832) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737246848832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff19f5476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff19db7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff427127b in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:754 #6 0x00007ffff42e529e in JSC::StructureID::decode (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/StructureID.h:130 #7 0x00007ffff42e4b75 in JSC::JSCell::structure (this=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:137 #8 0x00007ffff42e8dd9 in JSC::Heap::writeBarrier (this=0x7fffa6000080, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/heap/HeapInlines.h:121 #9 0x00007ffff42e8d44 in JSC::VM::writeBarrier (this=0x7fffa6000000, from=0x7fffe8020668) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/VM.h:894 #10 0x00007ffff42e8973 in JSC::AuxiliaryBarrier<JSC::Butterfly*>::AuxiliaryBarrier<JSC::Butterfly*&> (this=0x7fffe8020670, vm=..., owner=0x7fffe8020668, value=@0x7fffffffc820: 0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h:39 #11 0x00007ffff42e8775 in JSC::JSObject::JSObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1374 #12 0x00007ffff42dd7bd in JSC::JSNonFinalObject::JSNonFinalObject (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0, butterfly=0x0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/JSObject.h:1202 #13 0x00007ffff5a0a04d in JSC::IntlDurationFormat::IntlDurationFormat (this=0x7fffe8020668, vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:74 #14 0x00007ffff5a09ef1 in JSC::IntlDurationFormat::create (vm=..., structure=0x7ffe00007dd0) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp:63 #15 0x00007ffff5a51da2 in JSC::constructIntlDurationFormat (globalObject=0x7fffa641a068, callFrame=0x7fffffffca40) at /home/mgadelha/tools/WebKit/Source/JavaScriptCore/runtime/IntlDurationFormatConstructor.cpp:90 #16 0x00007fffa71ac0c7 in ?? () #17 0x00007fffffffcae0 in ?? () #18 0x00007ffff4231e37 in js_trampoline_op_construct_varargs () from /home/mgadelha/tools/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #19 0x0000000000000000 in ?? () Found by Igalia Fuzzing Campaign. 1900920 1 webkit-bug-importer 2022-09-24 12:31:41 -0700 <rdar://problem/100365199> 1900967 2 ysuzuki 2022-09-24 19:33:55 -0700 Will fix it. 1900968 3 ysuzuki 2022-09-24 19:36:58 -0700 Changing it to non security since it is ToT issue, not shipped into any branches. 1900969 4 ysuzuki 2022-09-24 19:40:28 -0700 Pull request: https://github.com/WebKit/WebKit/pull/4673 1900979 5 ews-feeder 2022-09-24 23:07:10 -0700 Committed 254837@main (3440aeb31ed3): <https://commits.webkit.org/254837@main> Reviewed commits have been landed. Closing PR #4673 and removing active labels. 462586 2022-09-24 12:31:27 -0700 2022-09-24 12:31:27 -0700 Testcase bar.js text/javascript 489 mikhail KGZ1bmN0aW9uKCkgCnsKICBnYygpfSkoKQpmdW5jdGlvbiBfX2ZfMjIoX192XzY0KSB7CiAgcmV0 dXJuIF9fdl82NC5oYXNPd25Qcm9wZXJ0eSgicHJvdG90eXBlIikgJiYKICAgICAgICAgX192XzY0 LnByb3RvdHlwZS5oYXNPd25Qcm9wZXJ0eSgicmVzb2x2ZWRPcHRpb25zIil9CmZ1bmN0aW9uIF9f Zl8yNShfX3ZfNjcpIHsKICBfX3ZfNjggPSBbXQogIHRyeSB7CiAgICBpZiAoX192XzY3ID09SW50 bC5EaXNwbGF5TmFtZXMpCiAgICAgIHRyeSB7CiAgICAgICAgX192XzY4ID0gWyAsIHt0eXBlIDog Imxhbmd1YWdlIn0gXX0gY2F0Y2gge30KICB9IGNhdGNoIHt9CiAgbmV3IF9fdl82NyguLi5fX3Zf NjgpICB9CiAgICBPYmplY3QuZ2V0T3duUHJvcGVydHlOYW1lcyhJbnRsKQogICAgICAgICAgICAg ICAgICAgICAubWFwKF9fdl83MSA9PiBJbnRsW19fdl83MV0pCiAgICAgICAgICAgICAgICAgICAg IC5maWx0ZXIoX19mXzIyKS5maWx0ZXIoIF9fZl8yNSkK